Wednesday, August 29, 2007

XSS vulnerabilities, do they even care?

Is your site at risk? If you knew it was would you do anything about it? I would hope so, but, you'd be surprised. I've found many "very large" companies online with exploitable vulnerabilities in their main websites that could potentially be very embarrassing and costly.

This article is the start of several where I will test the philosophy of "responsible disclosure" by contacting 5 companies and notify them of security holes that I have found in their sites - even offer assistance and resolutions - to see how long it takes for them to fix them, if at all. I'll keep the names of the companies to myself and just describe them as "industry/estimated # of employees". Just a little white hat test that should get interesting.

By now, most companies and organizations have a little more than a static html brochure online. Most sites are actually full blown online applications either purchased "off the shelf", developed in house, or custom developed by some third party. Dynamic sites, although a necessity, can potentially open doors when improper techniques are used when developed. Once your web application is online, mal-intented site patrons have all the time in the world to pick apart your site for potential vulnerabilities. I speak from experience as web applications that I have created have even been the target of attacks in the past - and I'd be ignorant to think they wouldn't be targeted again in the future.

For this test I'm going to focus on one facet of web application security, XSS(or more confusingly CSS in some cases - not Cascading Style Sheets). XSS stands for cross site scripting and is generally a method employed by hackers to inject their own modified code into your site. I have identified a diverse range of flawed websites below to see what, if anything, their reaction is to someone telling them they have a problem. Here are the companies and description:

5 comments:

And we have a winner... Our "Government" (smallest scale site at less than 1k employees) site greatfully replied within 24 hours with a fix already in place on their production site. I consider this a great response time. We'll see if any of the big boys reply...

OK, time for an update. All but two of our companies have responded thusfar. Interestingly, every response contained a derivative of "we already knew about it, and our IT department is currently looking into it". Doesnt make sense to me either.

Our smallest organization, "Government/1000 employees" still gets the gold star because they not only responded first but have already mitigated the vulnerability. The other respondees, albeit very greatful for the information have not fixed the holes!

As for our non-respondants.. The two biggest organizations contacted have yet to respond or fix the vulnerabilities. These two companies also have by far the most to lose because these issues could be exploited to take over user sessions and launch phishing attacks - not to mention a crashing stock price if discovered.

2. Government/1,000 Employees Notified webmasters: 8/29/2007Response: Within 24 hoursResponse too long, synopsis: thanks for the info - we took the time to fix it..Hole fixed: YES

3. Manufactoring/23,000 Employees Notified webmasters: 8/30/2007Response: Within 48 hours "Thanks for the email regarding the cross-site scripting on %%%%%%%.com. We are currently aware of a few issues and are taking them into account with a redesign which is currently in process."Hole fixed: NO

5. Pharmaceutical/2,000 Employees Notified webmasters: 8/30/2007Response: Within 72 hours. "Thanks for this information. We were aware of a problem with the %%%%%%%%% and our IT team is currently working on it. Once again, many thanks."Hole fixed: NO